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I. Basis of the report 



1. With regard to the elonents of the international application:* 

I [ the inler-iiittioiial c»|)i)lif;ation .t;; oriL'Uuillv filed 
the (je:;{ rij)tK)ii. 

(See Attached) 



|M^e:: 
pLii'e:; 
pta;e:i 



.1:: ()iiL'.iii'»llv filed 



filed with the deiiidiul 



filed with the lettef of 



the ckiiiiK;: 

jJt^ige:.: 

paji^e:; 

page:; 

page:.; 



(See Attached) 



. a:: oi iL'jnally filed 

, as amended (to^^etlier with any statement) under Article H) 
. filed with the demand 



. filed with the letter of 



the dr.iwniL';; 

paife;: 

payeij 

pages 



(See Attached) 



. a:: ormiiiallv filed 



filed with the denuaid 



filed with the letter of 



[Ic] the secjuence listing part of 
^iag^Fap tion: (See Attached) 

i>ages 

pages 



the 



_ . as origmally filed 
filed with the demand 



filed with the letter of 



2. With m\m\ to the language, all the elements marked ahove were aviulable or furnished to this Authoiitv in the languaire m which 
the international <i])pli(:at.i()n wa;; filed, unles;.; othenvise indicated under this item. 

These elemenh; were ,ivailahle or fiiniished to this Authority in tlie following language which is; 

I I the l.uiguage of u translation furnished for the purposes of international se.u'ch (under Rule .■:j.I(1))). 
I I the language of publication of the mteiiiational application (under Rule 48.13(1))). 

I I the language of the translation fiirnished for the juirposes of international preliminary examination (under Rules ^ii-i and ' 
or ^i'lo). 

With repaid to aiiv nucleotide and/or amino acid sequence disclosed in the international application, the inlernational 

contained In the international .ipplication in prinied form. 
I I filed to'rether with llie intern. d ion, d application 111 computer readahle form. 
I I inrni.:iie{| .:ul).:e(pi."nt !v io thi.: Authonlv in written lorm. 
I I furnished siil)se(|uenLlv to iliis Anthontv m computer readable form. 

□ The siateinenl thiit the siibsecinentiv tiirnislied written setiuein-e listini'. does not go bevoiid Ihe disclosure in the 
international .ipplication .is filed has been furnished. 

I I The siatemeni thai the information recorded in coiiipiiter I'eadable foi'iii is identical to the wnteii setjuence listiiiL! has 
' — * been furnished. 

4 13 .UiiendmenL: have le. iiUcd in the c.uicellat 1011 of. 

S the de.:criplioii. pa-es NONE 

S thcel.um.-. \os NONE 

[xl Ihe drawiiii.'.:. .•Iiee{.--4H^ NONE 

I I This report has been driiwii ii.; if (some ol) the amendments had not been made, since l.hev have been ( onsideied to go 

bevond the dis( losure as filed, as iiidic.ited in the .Sn|)i)lemental Box (Rule 7().::I(c)).^' 

* Replacement sheets which have been furnished to the receiving Office in response to an invitation under Article 14 are referred to 
in this report as "originally filed" and are not annexed to this report since they do not contain amendments (Rules 70.16 
and 70.17). 

**Any replacement sheet containing such amendments must be referred to under item 1 and annexed to this report. 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



1 . statement 

Novelty (N) Claims 8, 15. 17. 22-42 YES 

Claims 1-7. 9-14, 16, and 18-21 NO 

Inventive Step (IS) Claims NONE YES 

Claims M2 NO 

Industrial ApplicabUity (lA) Claims ^-42 YES 

Claims NONE NO 



2. citations and explanations (Rule 70.7) 

Claims 1-7, 9-14. 16, 18-21 lack novelty under PCT Article 33(2) as being anticipated by MacDoran. 

Claim 1: MacDoran teaches pre-encrypting the content (col. 28. lines 61-67 and col, 29, lines 45-51). forwarding the pre- 
encrypted content to a server (col. 10. lines 26-54), providing a first tag to a user terminal, the first tag being associated with 
a second tag (col. 10, lines 31-54), the second tag acting as a reference to the pre-encrypted content and associated first tag, 
wherein the first and second tags are unique to the pre-encrypted content and are tracked by a pre-encrytion controller (col. 10. 
lines 31-54), providing at least the second tag to the server (col. 10, lines 48-54). conununicating the pre-encrypted content from 
the server to the user terminal via a first communication path (col. 10, lines 26-54), conmiunicating an entitlement authorization 
associated with the pre-encrypted content to the user terminal via a second conmiunication path independent of the first 
conununication path (col. 10, lines 48-54), and determining whether the user terminal is authorized to access the pre-encrypted 
content based on the entitlement authorization and the first tag upon demand of the content by a user (col. 10. lines 50-63). 

Claim 2: MacDoran teaches claim 1. MacDoran teaches the server is a main server (Fig. 1, #150), the main server 
communicates the pre-encrypted content and first tag to the user terminal via a local distribution server (Fig. 1. #110), and the 
pre-encryption controller is in communication with a local distribution controller communicates the entitlement authorization to 
the user terminal (Fig. 1,#109). 

Claim 3: MacDoran teaches claim 2. MacDoran teaches the first tag is an opaque data block (ODB) (col. 10, lines 31-54) and 
the second tag is a unique reference handle (URH) (col. 10, lines 48-54). 

Claim 4: MacDoran teaches claim 3. MacDoran teaches (Continued on Supplemental Sheet.) 
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I. BASIS OF REPORT: 

This report has been drawn on the basis of the description. 
page(s) 1-4, 6-14, 17-18. as originally filed. 
page(s) NONE, filed with the demand, 
and additional amendments: 

Pages 5, 15-16, filed with the lener of 19 April 2001. 

This report has been drawn on the basis of the claims, 

page(s) 19-23, 25-27, as originally filed. 

page(s) NONE, as amended under Article 19. 

page(s) NONE, filed with the demand. 

and additional amendments; 

Page 24, filed with the lener of 19 April 2001. 

This report has been drawn on the basis of the drawings, 

page(s) 1-3. as originally filed. 

page(s) NONE, filed with the demand. 

and additional amendments: 

NONE 

This report has been drawn on the basis of the sequence listing part of the description: 

page(s) NONE, as originally filed. 

pages(s) NONE, filed with the demand. 

and additional amendments: 

NONE 



V. 2. REASONED STATEMENTS - CITATIONS AND EXPLANATIONS (Continued): 

comprising the further step of forwarding the ODB and associated URH to the local distribution controller (col. 10, lines 34- 
48). 

Claim 5: MacDoran teaches claim 3. MacDoran teaches the URH is forwarded to the main server, further comprising the 
steps of: communicating the ODB from the local distribution controller to the local distribution server (col. 10, lines 31-41). 

Claim 6: MacDoran teaches claim 5. MacDoran teaches the ODB is processed at the local distribution controller to generate 
a second ODB, which second ODB is forwarded from the local distribution controller to the local distribution server (col. 29, 
lines 61-67 and col. 30, lines 1-11). 

Claim 7: MacDoran teaches claim 3. MacDoran teaches the pre-encrypied content is broadcast (col. 10, lines 26-31), the 
ODB is broadcast (col, 10, lines 26-34), and only a user terminal with appropriate entitlement authorization will be able to 
decrypt the broadcast content (col. 10, lines 26-54). 

Claim 9: MacDoran teaches claim 3. MacDoran teaches the pre-encrypted content is singlecast (col. 28, lines 26-31), the 
ODB is singlecast (col. 28. lines 26-44). and only a user terminal with appropriate entitlement authorization will be able to 
decrypt the singlecast content (col. 28, lines 39-44). 

Claim 10: MacDoran teaches claim 3. MacDoran teaches the entitlement authorization comprises at least one of (i) an 
entitlement authorization for a service carrying the content, (ii) an entitlement authorization for the content itself, and (iii) an 
entitlement authorization for using ODB (col. 10, lines 26-54 or col. 12, lines 48-62). 

Claim 11: MacDoran teaches claim 3. MacDoran teaches forwarding the ODB from a server application via an application 
program interface in the user terminal to a kernel located in the user terminal (col. 29, lines 8-15), processing the ODB in 
conjunction with the received entitlement authorization such that the processor determines whether to decrypt the received pre- 
encrypted content (col. 10, lines 26-54), receiving the pre-encrypted content (col. 10, lines 26-34), decrypting the pre- 
encrypted content when authorization is granted (col. 11, lines 31-48), and processing the decrypted content for display (coL 
11, lines 31-48). 
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Claim 12: MacDoran teaches claim 1 1 . MacDoran teaches the pre-encryted content is received by the secure processor via 
direct memory access from device memory (col. 28, lines 53-67 and col. 29. lines 1-8). 

Claim 13: MacDoran teaches claim 11. MacDoran teaches the pre-encrypted content is received by the secure processor via 
direct memory access from device memory (col. 28, lines 53-67 and col. 29, lines 1-18). 

Claim 14: MacDoran leaches claim 3. MacDoran teaches the ODB is coded in a maimer that is not readily discemable by 
third parties (col. 29, lines 37-44). 

Claim 16: MacDoran teaches claim 3. MacDoran teaches ODB itself is encrypted (col. 29, lines 37-44). 

Claim 18: MacDoran teaches claim 3. MacDoran teaches the user terminal is one of a set-top box. a digital television or a 
host with point-of-deployment capability, or a personal computer (col. 15, lines 40-47). 

Claim 19: MacDoran teaches claim 3. MacDoran teaches one of the URH and the ODB is stored as an attribute of the pre- 
encrypted content (col. 17, lines 64-67 and col. 18, lines 1-12). 

Claim 20: MacDoran teaches claim 3. MacDoran teaches each of the URH and the ODB are stored as an attribute of the pre- 
encrypted content (col. 17, lines 64-67 and col. 18, lines 1-12). 

Claim 21: MacDoran teaches claim 3. MacDoran teaches the pre-encrypted content is accessed via the Internet (col. 13, lines 
19-27). 

Claims 8. 22-35. and 37-42 lack an inventive step under PCT Article 33(3) as being obvious over MacDoran in view of 
Mittra. 

Claim 8: MacDoran teaches claim 3. Mittra teaches the pre-encrypted content is multicast (col. 2, lines 1-45), the ODB is 
multicast (col. 1, lines 59-67). and only a user terminal with appropriate entitlement authorization will be able to decrypt the 
muhicasi content (col. 1, lines 59-67 and col. 2, lines 58-67). 

Claim 22: MacDoran teaches claim an apparatus for providing access control for pre-encrypted on-demand content (col. 28, 
lines 53-67), an encryption device for encrypting the content (col. 29, lines 1-18). a server for receiving the pre-encrypted 
content from the encryption device (col, 10, lines 26-34), a pre-encryption controller for generating a first tag and an 
associated second tag, the second tag acting as a reference to the pre-encrypted content and associated first tag, wherein the 
first tag and second tag are unique to the pre-encrypted content and are tracked by the pre-encryption controller (col. 10, lines 
31-54), and a user terminal for receiving entitlement authorization associated with the pre-encrypted content (col. 13. lines 45- 
63). and the first tag being conmiunicated to a user terminal and the second tag being communicated to the server (col. 13. 
lines 45-63). Mittra teaches the user terminal determines whether it is authorized to access the pre-encrypted content based on 
the entitlement authorization and the first tag upon demand of the content by a user (col. 13. lines 45-63). 

Claim 23: MacDoran in view of Mittra teaches claim 22. MacDoran teaches the pre-encryption controller is in 
communication with a local distribution controller communicates the entitlement authorization to the user terminal (col. 14, 
lines 42-56). Minra teaches the server is a main server (col. 7. lines 1 1-14) and the main server communicates the pre- 
encrypted content and first tag to the user terminal via local distribution server (col. 7, lines 11-14). 

Claim 24: MacDoran in view of Mittra teaches claim 23. MacDoran teaches the first lag is an opaque data block (ODB) (col. 
10, lines 31-54) and the second tag is a unique reference handle (URH) (col. 10, lines 48-54). 

Claim 25: MacDoran in view of Mittra teaches claim 24. MacDoran teaches the local distribution controller receives the 
ODB and associated URH from the pre-encryption controller (col. 10, lines 26-54). 

Claim 26: MacDoran in view of Mittra teaches claim 24. MacDoran teaches the main server receives only the URH from the 
pre-encryption controller (col. 10, lines 48-54) and the local distribution controller communicates the ODB to the local 
distribution server (col. 10, lines 31-54). 

Claim 27: MacDoran in view of Mittra teaches claim 26. MacDoran teaches the ODB is processed at the local distribution 
controller to generate a second ODB, which second ODB is forwarded from the local distribution controller to the local 
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distribution server (col. 29, lines 61-67 and col. 30, lines 1-11). 

Claim 28: MacDoran teaches the pre-encryption content is broadcast (col. 10, lines 26-31). the ODB is broadcast (col. 10, 
lines 26-34), and only a user terminal with appropriate entitlement authorization will be able to decrypt the broadcast content 
(col. 10, lines 26-54). 

Claim 29: MacDoran in view of Mittra leaches claim 24. Mitira teaches the pre-encrypted content is multicast (col. 2, lines 1- 
45), the ODB is multicast (col. 1, lines 59-67), and only a user terminal with appropriate entitlement authorization will be able 
to decrypt the multicast content (col. 2, lines 58-67). 

Claim 30: MacDoran in view of Mittra teaches claim 24. MacDoran teaches the pre-encrypted content is singlecast (col. 28, 
lines 20-31), the ODB is singlecast (col. 28, lines 26-44), and only a user terminal with appropriate entitlement authorization 
will be able to decrypt the singlecast content (col. 28, lines 39-44), 

Claim 31: MacDoran in view of Mittra teaches claim 24. MacDoran teaches entiUement authorization comprises at least one 
of (i) an entitlement authorization for a service carrying the content, (ii) an entitlement authorization for the content itself, (iii) 
an entitlement authorization for using ODB (col. 10, lines 26-54 and col. 12, lines 48-62). 

Claim 32: MacDoran in view of Mittra teaches claim 24. MacDoran teaches a client application using a program interface 
for forwarding the ODB from the local distribution server to a kernel (col. 28, lines 8-15), the kernel receiving the ODB the 
application program interface and the entitlement authorization from the local distribution controller (col. 29, lines 8-15), and a 
secure processor for receiving the ODB and entitlement authorization from the kernel and receiving the pre-encrypted content 
from the local distribution server (col. 29, lines 8-15), and the processor processes the ODB in conjunction with entitlement 
authorization such that the processor determines whether to decrypt the received pre-encrypted content (col 10, lines 26-54). 

Claim 33: MacDoran in view of Mittra teaches claim 24. MacDoran teaches the secure processor receives the pre-encrypted 
content via a receiver circuit (col. 10, lines 26-54). 

Claim 34: MacDoran in view of Mittra teaches claim 24. MacDoran teaches the secure processor receives the pre-encrypted 
content via direct memory access from device memory (col. 28, lines 53-67 & col. 29, lines 1-18). 

Claim 35: MacDoran in view of Mittra teaches claim 24. MacDoran teaches the ODB is coded in a manner that is not 
readily discemable by third parties (col. 29, lines 37-44). 

Claim 37: MacDoran in view of Mittra teaches claim 24. Mittra teaches the ODB itself is encrypted (col. 8, lines 15-22). 

Claim 38: MacDoran in view of Mittra teaches claim 37. Mittra teaches the ODB is encrypted using the user's public key 
(col. 8, lines 15-22). 

Claim 39: MacDoran in view of Mittra leaches claim 24. Mittra teaches the user terminal is one of a set-top box, a digital 
television or a host with point-of-deployment capability (col. 4, lines 45-67). 

Claim 40: MacDoran in view of Mittra teaches claim 24. MacDoran leaches one of the URH and the ODB is stored as an 
attribute of the pre-encrypted content (col. 17, lines 64-67 and col. 18, lines 1-12). 

Claim 41: MacDoran in view of Mittra teaches claim 24. MacDoran teaches each of the URH and the ODB are stored as an 
attribute of the pre-encrypted content (col. 17, lines 64-67 and col. 18, lines 1-12). 

Claim 42: MacDoran in view of Mittra teaches claim 24. MacDoran leaches the pre-encrypted content is accessed via the 
Internet (col. 13, lines 19-27). 

Claims 15 and 17 lack an inventive step under PCT Article 33(3) as being obvious over MacDoran in view of Lidinsky. 

Claim 15: MacDoran in view of Mittra teaches claim 3. Mittra leaches the ODB content includes one of an encryption key or 
a hierarchy of encryption keys (col. 46, lines 60-63). 

Claim 17: MacDoran in view of Mittra teaches claim 16. MacDoran teaches the ODB is encrypted using the user's public 
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key (col. 46, lines 60-63). 

Claim 36 lacks an inventive step under PCT Article 33(3) as being obvious over MacDoran in view of Mittra, further in view 
of Lidinsky. 

Claim 36: MacDoran in view of Mittra teaches claim 24. Lidinsky teaches the ODB content includes one of an encryption key 
or a hierarchy of encryption keys (col. 46, lines 60-63). 
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NEW CITATIONS 

US 5,748.736 A (MITTRA et al) 05 MAY 1998, see column 1-4 & 7-8. lines 1-67. 
US 5,757,916 A (MACDORAN et al) 06 OCTOBER 1995. see column 10-15 & 28-30. 
US 4,897,874 A (LIDINSKY et al) 03 MARCH 1988, see column 46. lines 60-63. 
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SUMMARY OF THE INVENTION 




In accordance with the present invention, a 
method and apparatus are provided for access control 
of pre-encrypted on-demand content. In a simplified 
embodiment, the content is pre-encrypted by an 
encryption device controlled by a pre-encryption 
controller. The pre-encrypted content is forwarded 
from the encryption device to a server. The server 
may be a main server or a local distribution server. 
The pre-encryption controller provides a first tag 
to the user terminal and a second tag to the server. 
The first tag is associated with hte second tag and 
the second tag acts as a reference to the pre- 
encrypted content and associated first tag, wherein 
said first and second tags are unique to the pre- 
encrypted content and are tracked by the pre- 
encryption controller. The pre-encrypted content is 
communicated from the server to a user terminal via 
a first communication path. 

An entitlement authorization associated with 
the encrypted content is communicated to a user 
terminal (e.g., a client device" such as a set-top 
box) via a second communication path independent of 
said first communication path. Authorization to 
access the pre-encrypted content is determined based 
on said entitlement authorization and said first tag 
upon demand of said content by a user. 

The user terminal may be a set-top box, a 
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security. In the on-demand case, the ODB itself may 
also be encrypted (with an additional level of 
implementation complexity) using, for example, the 
recipient's public key. In the case of broadcast or 
multicast content, the ODB may be made available in 
advance since it is associated with the event or 
content to be viewed or received. Encryption of the 
ODB using the user's public key is extremely useful 
for the IP transport case where the system 
administrator has the option to make known what 
events are available when, e.g. via an Electronic 
Programming Guide (EPG) . In this manner the ODB 
content is securable as deemed necessary without 
burdening the content providers or service vendors. 
In addition, the entitlement control is upgradeable 
without impacting the content providers or service 
vendors . 

The pre-encrypted content may be broadcast, 
multicast, or singlecast such that only a user 
terminal 20 with appropriate entitlement 
authorization will be able to decrypt the broadcast, 
multicast, or singlecast content. Alternatively, the 
pre-encrypted content may be accessed via the 
Internet . 

The entitlement authorization may comprise at 
least one of (i) an entitlement authorization for a 
service carrying the content, (ii) an entitlement 
authorization for the content itself, and (iii) an 
entitlement authorization for using the ODB. 
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Figure 3 depicts the processing that takes 



place at the user terminal 20. The client 
application 40 (typically residing in a user 
terminal 20 such as a set-top box) requests specific 
5 content from the server (either the server 12 of 

Figure 1 or local distribution server 18 of Figure 
2), such as a video on demand (VOD) movie or any 
other interactive content. The server then sends the 
ODB to the client application device 40. After this 
LO set-up is completed, the server 18 starts sending 
the pre-encrypted content to the user terminal 20. 

The client application 40 (e.g. software) 
running in the user terminal processor (CPU) 36 
receives the ODB from a server application in the 
15 server 12 or local distribution server 18, as 

described in connection with Figures 1 and 2, and 
forwards it via an application program interface 
(API) 42 to the user terminal processor kernel 44. 
In the broadcast and multicast modes, the ODB may be 
20 made available ahead of time, before the actual 
broadcast or multicast event commences. In this 
case the ODB may be requested by and sent to the 
user by the local distribution controller (16) . The 
ODB is then processed in the user terminal 20 in 
25 conjunction with the received entitlement 

authorization (as described in connection with 
Figures 1 and 2) to determine whether to decrypt the 
received pre-encrypted content . 
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authorization associated with the pre-encrypted 
content ; 

said first tag being communicated to the user 
terminal and said second tag being communicated to 
the server; 

wherein the user terminal determines whether it 
is authorized to access said pre-encrypted content 
based on said entitlement authorization and said 
first tag upon demand of said content by a user. 

23. An apparatus in accordance with claim 22, 
wherein; 

the server is a main server; 

the main server communicates the pre-encrypted 
content and first tag to the user terminal via a 
local distribution server; and 

the pre-encryption controller is in 
communication with a local distribution controller, 
which local distribution controller communicates the 
entitlement authorization to the user terminal. 

24. An apparatus in accordance with claim 23, 
wherein: 

the first tag is an opaque data block (ODB) ; 

and 

the second tag is a unique reference handle 
(URH) . 

25. An apparatus in accordance with claim 24, 
wherein the local distribution controller receives 
the ODB and associated URH from the pre-encryption 
controller . 
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METHOD AND APPARATUS FOR ACCESS CONTROL OF 
PRE-ENCRYPTED ON-DEMAND TEUEVISION SERVICES 



This application claims the benefit of U.S. 
provisional patent application no. 60/132, 365 filed 
5 May 4, 1999. 



BACKGROUND OF THE INVENTION 



The present invention relates to the 
communication of information services over a 
communication network, and more particularly to 

10 providing access control for signals containing 

audiovisual content and services, such as on-demand 
television programming. In order to render 
subscription programming services and the like 
commercially viable, systems must be provided for 

15 preventing non-paying individuals from obtaining the 
services. Such ^'access control" systems can take 
various forms, but generally include some type of 
modification (e.g., scrambling) or encryption of the 
signals that carry the services. Only authorized 

20 subscribers have access to the elements (e.g., 
cryptographic keys) necessary to satisfactorily 
receive the signals. 

Current techniques for decryption of signals 
such as on-demand services may be based on real time 

25 hardware based encryption solutions or based on pre- 
encryption methods. Some configurations allow for 



cost effective real time encryption at the transport 
level but are not as effective at a service level. 
Such problems, together with the following 
additional factors, require a new solution that 
provides a reliable and cost-effective means for 
access control of on-demand services: 

1. Current real-time encryption does not meet 
the cost model for on-demand services, in 
that it is expensive to implement, 

2. In some configurations real time encryption 
requires too much real-estate at service 
provider sites (currently, for example^ 
various video-on-demand (VOD) vendors are 
consolidating their servers and signal 
modulators (e.g., QAM modulators) in space 
efficient packaging which bypasses a real- 
time encryption stage) • 

3. Pre-encryption is inherently not as secure 
as real-time encryption. At the same time, 
on-demand content security requirements are 
less stringent than those of broadcast 
content. For example, there is no a priori 
knowledge of when certain content will be 
requested in the on-demand case. In the 
broadcast case, the content is always being 
sent and the schedules are known ahead of 
time . 

4. MPAA (Motion Picture Association of America) 
has issues with clear (i.e., unencrypted) 
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content, such as movies, and expects such 
content to be protected, 
5. Entitlement control should be upgradeable 
without impacting content providers or 
5 server vendors- Stronger solutions should be 

able to be incorporated gradually as the 
need dictates. 
6- Secure content delivery of MPEG-2 (Motion 
Picture Experts Group) using Internet 
10 Protocol (IP) for point to point on demand 

services or multicast services must be 
facilitated, 
7, Transport independent entitlement control 
(e.g., MPEG-2 or IP) must be provided. 

15 It would be advantageous to provide a method 

and apparatus for access control of on-demand 
services that addresses the above-noted issues. In 
particular, it would be advantageous to provide a 
content pre-encryption method that enables 

20 entitlement control to be effectively implemented 

independent of the transport protocol, e.g., MPEG-2 
or IP. 

It would be still further advantageous to 
provide such a capability that can be offered as a 
25 separate service to content providers, server 

vendors, and cable system operators. The present 
invention can be adapted for use with different 
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types of provider networks, e.g. satellite and 
Internet based networks. 

The present invention provides a system having 
these and other advantages. In particular, the 
5 invention disclosed herein extends existing 

encryption capability, such as that provided by the 
Digicipher II (DCII) system available from General 
Instrument Corporation of Horsham, Pennsylvania, 
USA, the assignee of the present invention, to 

10 handle pre-encrypted content that is requested on 

demand by a viewer or is sent to a group of viewers. 
The method of the invention is also upgradeable to 
facilitate implementations of entitlement control 
algorithms that vary in sophistication as the need 

15 dictates. Additionally, the method is extensible to 
enable encryption control that is independent of the 
transport protocol used. Such protocols include, for 
example, MPEG-2 and Internet Protocol (IP) , 
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SUMMARY OF THE INVENTION 

In accordance with the present invention, a 
method and apparatus are provided for access control 
of pre-encrypted on-demand content. In a simplified 
5 embodiment, the content is pre-encrypted by an 

encryption device controlled by a pre-encryption 
controller. The pre-encrypted content is forwarded 
from the encryption device to a server. The server 
may be a main server or a local distribution server. 

10 The pre-encryption controller provides a first tag 

to the user terminal and a second tag to the server. 
Said first tag being associated with said second tag 
and said second tag acts as a reference to the pre- 
encrypted content and associated first tag, wherein 

15 said first and second tags are unique to the pre- 
encrypted content and are tracked by the pre- 
encryption controller. The pre-encrypted content is 
communicated from the server to a user terminal via 
a first communication path. 

20 An entitlement authorization associated with 

the encrypted content is communicated to a user 
terminal (e.g., a '"client device" such as a set-top 
box) via a second communication path independent of 
said first communication path. Authorization to 

25 access the pre-encrypted content is determined based 
on said entitlement authorization and said first tag 
upon demand of said content by a user. 

The user terminal may be a set-top box, a 
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digital television or a host with point-of- 
deployment (POD) capability, or a personal computer 
(PC) or the like that provides the functionality of 
a set-top box. 

5 The pre-encryption controller acts to set up 

the encryption device for pre-encrypting the 
content. The set up of the encryption device is 
outside the scope of this invention. For background 
purposes, it will suffice to state that the pre- 

10 encryption controller, through bi-directional 

communication with the encryption device, configures 
the encryption device with appropriate parametric 
values and commands to enable the encryption device 
appropriately to encrypt the content. 

15 In an alternate embodiment, the server is a 

main server (e.g., a head-end server) which 
communicates the pre-encrypted content and first tag 
to the user terminal via a local distribution 
server. The pre-encryption controller is in 

20 communication with a local distribution controller 
(e.g., a head-end controller in a cable television 
implementation) , which local distribution controller 
communicates the entitlement authorization to the 
user terminal. 

25 In a preferred embodiment, the first tag is an 

opaque data block (ODB) and the second tag is a 
unique reference handle (URH) . The URH may be 
generated as a function of the ODB. 

In one embodiment, the ODB and URH are both 
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forwarded to both the local distribution controller 
and the server from the pre-encryption controller. 
In an alternate embodiment, only the URH is 
forwarded to the main server and the ODB is 
5 communicated from the local distribution controller 
to the local distribution server. 

In one embodiment the ODB or the URH may be 
stored as an attribute of the encrypted content. 
Alternatively, both the URH and the ODB are stored 
10 as an attribute of the encrypted content. 

The ODB may be processed at the local 
distribution controller to generate a second ODB, 
which second ODB is forwarded from the local 
distribution controller to the local distribution 
15 server. This processing at the local distribution 

controller may include algorithmically modifying the 
ODB. Such reprocessing of the ODB at the local 
distribution controller provides an added level of 
security since the post-processing ODBs are no 
20 longer the same across multiple local distribution 
controllers . 

The ODB itself may be coded in a manner that is 
not readily discernable by third parties. 
Alternatively, the ODB content may include an 
25 encryption key to be used for decryption or used to 
derive the key for decryption. The ODB may also 
include a hierarchy of encryption keys whose 
ultimate use is the derivation of the relevant key 
for decryption but with added levels of security. In 
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this manner the ODB content is securable as deemed 
necessary without burdening the content providers or 
service vendors. In the on-demand case, the ODB 
itself may also be encrypted, using, for example, 
5 the recipient's public key. 

The pre-encrypted content may be broadcast, 
multicast, or singlecast such that only a user 
terminal with appropriate entitlement authorization 
will be able to decrypt the broadcast, multicast, or 

10 singlecast content. Alternatively, the pre-encrypted 
content may be accessed via the Internet. 

The entitlement authorization may comprise at 
least one of (i) an entitlement authorization for a 
service carrying the content, (ii) an entitlement 

15 authorization for the content itself, and (iii) an 
entitlement authorization for using ODB. 

In a preferred embodiment, a client application 
(typically software residing in a user terminal such 
as a set-top box) then requests specific content 

20 from the server, such as a video on demand (VOD) 

movie or any other interactive content. The ODB is 
forwarded from a server application to the client 
application software that typically resides in a 
central processor (CPU) of the user terminal. After 

25 this set-up is completed, the server starts sending 
the pre-encrypted content to the user terminal. The 
ODB is then forwarded from the client application 
via an application program interface in the CPU to a 
kernel located in the user terminal. The ODB is then 
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processed in the user terminal in conjunction with 
the received entitlement authorization to determine 
whether to decrypt the received pre-encrypted 
content . 

5 Processing may be provided by a secure 

processor located in the user terminal or a software 
task included in the user terminal CPU. The pre- 
encrypted content is received by the user terminal 
and decrypted when authorization is granted. Upon 
10 authorization, the content will be processed for 
display. 

The pre-encrypted content may be received by 
the secure processor via a conventional receiver 
circuit. Alternatively, the pre-encrypted content 
15 may be received by the secure processor via direct 
memory access from device memory. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of the functional 
components of the flexible pre-encryption 
architecture of the invention; 
5 Figure 2 is a block diagram of another 

embodiment of the functional components of the 
flexible pre-encryption architecture of the 
invention; and 

Figure 3 is a block diagram of the relevant 
10 components of a user terminal in accordance with the 
invention. 
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DETAILED DESCRIPTION OF THE INVENTION 

Figure 1 illustrates the main components of an 
on-demand content communication system in accordance 
with the present invention. In particular, a method 
5 and apparatus are provided for access control of 

pre-encrypted on-demand content. The video encoder 
and post encoding processors are not shown, since 
they are well known in the art. As will be 
appreciated by those skilled in the art, any type of 

10 post processing to be done on the content file/data 
stream is performed prior to encryption. 

Referring to Figure 1, a pre-encryption 
controller 10 sets up an encryption device 14 for 
encryption of the content 15. A server 12 forwards 

15 the content file/stream to the encryption device 14 
for encryption of the content prior to distribution 
C'pre-encryption" ) . The encryption device encrypts 
the content file and forwards the pre-encrypted 
content back to the main server 12. 

20 The pre-encryption controller 10 acts to set up 

the encryption device 14 for pre-encrypting the 
content. The set up of the encryption device 14 is 
outside the scope of this invention. For background 
purposes, it will suffice to state that the pre- 

25 encryption controller 10, through bi-directional 
communication with the encryption device 14, 
configures the encryption device 14 with appropriate 
parametric values and commands to enable the 
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encryption device 14 appropriately to encrypt the 
content . 

In one embodiment as shown in Figure 1, the 
pre-encrypted content is forwarded from the 
5 encryption device 14 to a server 12. The server may 
be a main server or a local distribution server. The 
pre-encryption controller provides a first tag and a 
second tag to the server 12 via line 17. The first 
tag is also provided to a user terminal 20 via line 

10 19 or 21 depending upon the particular 

implementation^ the first tag being associated with 
said second tag. The second tag acts as a reference 
to the pre-encrypted content and associated first 
tag, wherein the first and second tags are unique to 

15 the pre-encrypted content and are tracked by the 
pre-encryption controller 10. The pre-encrypted 
content is communicated from the server 12 to a user 
terminal 20 (e.g., a client device" such as a set- 
top box) via a first communication path 21. 

20 An entitlement authorization associated with 

the encrypted content is communicated to the user 
terminal 20 via a second communication path 19 
independent of the first communication path. 
Authorization to access the pre-encrypted content is 

25 determined at the user terminal 20 based on said 
entitlement authorization and the first tag upon 
demand of the content by a user. Communication from 
the user terminal 20 back to the server 12 is 
provided on line 23. 
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The user terminal 20 may be a set-top box, a 
digital television or a host with point-of- 
deployment (POD) capability, or a personal computer 
(PC) or the like that provides the functionality of 
5 a set-top box. 

In an alternate embodiment shown in Figure 2, 
the server is a main server 12' (e.g., a head-end 
server) which communicates the pre-encrypted content 
and first tag to the user terminal 20 via lines 25 

10 and 27 and a local distribution server 18. The main 
server 12' can distribute the encrypted content to 
various local distribution servers (at various 
service provider locations, e.g., head-ends). The 
pre-encryption controller 10 is in communication 

15 with a local distribution controller 16, which 

controls, e.g., a cable television system or the 
like in a well known manner (e.g., a head-end 
controller in a cable television implementation) . 
The local distribution controller 16 communicates 

20 the entitlement authorization to the user terminal 
20 via line 29. 

In a preferred embodiment, the first tag is an 
opaque data block (ODB) and the second tag is a 
unique reference handle (URH) . The URH may be 

25 generated as a function of the ODB. 

In one embodiment, the ODB and URH are both 
forwarded to both the local distribution controller 
16 (via line 11) and the main server 12' (via line 
13) from the pre-encryption controller 10. In an 
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alternate embodiment, only the URH is forwarded to 
the main server 12' and the ODB is communicated from 
the local distribution controller 16 to the local 
distribution server 18 via line 22, 
5 Either the ODB or the URH may be stored as an 

attribute of the encrypted content. Alternatively, 
both the URH and the ODB may be stored as an 
attribute of the encrypted content. 

The ODB may be processed at the local 

10 distribution controller 16 to generate a modified, 
second ODB, which second ODB is forwarded from the 
local distribution controller 16 to the local 
distribution server 18. This processing at the local 
distribution controller 16 may include 

15 algorithmically modifying the ODB. This may be done 
as an offline process. Such reprocessing of the ODB 
at the local distribution controller 16 provides an 
added level of security since the post-processing 
ODBs are no longer the same across multiple local 

20 distribution controllers. 

The system manufacturer specifies the ODB 
content and, for security reasons, the ODB itself 
may be coded in a manner that is not readily 
discernable by third parties. Alternatively, the ODB 

25 content may include an encryption key to be used for 
decryption or used to derive the key for decryption. 
The ODB may also include a hierarchy of encryption 
keys whose ultimate use is the derivation of the 
relevant key for decryption but with added levels of 



t 



-/ 



wo 00/67483 




PCT/USOO/09800 



15 



10 



15 



20 



security. In the on-demand case, the ODB itself may 
also be encrypted (with an additional level of 
implementation complexity) using, for example, the 
recipient's public key. In the case of broadcast or 
multicast content, the ODB may be made available in 
advance since it is associated with the event or 
content to be viewed or received. Encryption of the 
ODB using the user' s public key is extremely useful 
for the IP transport case where the system 
administrator has to the option to make known what 
events are available when, e.g. via an Electronic 
Programming Guide (EPG) . In this manner the ODB 
content is securable as deemed necessary without 
burdening the content providers or service vendors . 
In addition, the entitlement control is upgradeable 
without impacting the content providers or service 
vendors . 

The pre-encrypted content may be broadcast, 
multicast, or singlecast such that only a user 
terminal 20 with appropriate entitlement 
authorization will be able to decrypt the broadcast, 
multicast, or singlecast content. Alternatively, the 
pre-encrypted content may be accessed via the 
Internet . 

The entitlement authorization may comprise at 
least one of (i) an entitlement authorization for a 
service carrying the content, (ii) an entitlement 
authorization for the content itself, and (iii) an 
entitlement authorization for using ODB, 
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Figure 3 depicts the processing that takes 
place at the user terminal 20. The client 
application 40 (typically residing in a user 
terminal 20 such as a set-top box) then requests 
5 specific content from the server (either the server 
12 of Figure 1 or local distribution server 18 of 
Figure 2) , such as a video on demand (VOD) movie or 
any other interactive content. The server then sends 
the ODB to the client application device 40. After 

10 this set-up is completed, the server 18 starts 
sending the pre-encrypted content to the user 
terminal 20. 

The client application 40 (e.g. software) 
running in the user terminal processor (CPU) 36 

15 receives the ODB from a server application in the 
server 12 or local distribution server 18, as 
described in connection with Figures 1 and 2, and 
forwards it via an application program interface 
(API) 42 to the user terminal processor kernel 44. 

20 In the broadcast and multicast modes, the ODB may be 
made available ahead of time, before the actual 
broadcast or multicast event commences. In this 
case the ODB may be requested by and sent to the 
user by the local distribution controller (16) , The 

25 ODB is then processed in the user terminal 20 in 
conjunction with the received entitlement 
authorization (as described in connection with 
Figures 1 and 2) to determine whether to decrypt the 
received pre-encrypted content. 
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Processing may be provided by a secure 
processor 32 located in the user terminal 20 or a 
software task included in the CPU 36. The pre- 
encrypted content is received by the user terminal 
5 20 and decrypted when authorization is granted. Upon 
authorization, the content will be processed for 
display. 

The pre-encrypted content may be received by 
the secure processor 32 via a conventional receiver 

10 circuit (i.e. receiver output of Figure 3). 

Alternatively, the pre-encrypted content may be 
received by the secure processor 32 via direct 
memory access from device memory 30. The decrypted 
output from the secure processor 32 is written back 

15 to memory 30 for further use by the CPU 36, or is 

forwarded to a demultiplexer/decoder 34 for further 
processing in a conventional manner. 

It should now be appreciated that the present 
invention provides an improved method and apparatus 

20 for the delivery and access of pre-encrypted on- 
demand television services. In particular, the 
present invention provides a content pre-encryption 
method and apparatus that enables entitlement 
control to be effectively implemented independent of 

25 the transport protocol, e.g., MPEG-2 or Internet 
Protocol (IP), and to some extent independent of 
transmission mode (i.e., singlecast (e.g., on- 
demand), multicast, or broadcast). Additionally, the 
present invention provides encryption and access 
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control capability that can be offered as a separate 
service to content providers, server vendors, cable 
system operators, and/or Internet service providers, 
or the like. The present invention enables 
5 entitlement authorization that can vary in 

sophistication as deemed necessary without burdening 
the content providers or service vendors. In 
addition, the entitlement control is upgradeable 
without impacting the content providers or service 

10 vendors. 

Although the invention has been described in 
connection with certain preferred embodiments, it 
should be appreciated that numerous adaptations and 
modifications may be made thereto without departing 

15 from the scope of the invention as set forth in the 
claims , 
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What is claimed is: 

1. A method of providing access control for 
pre-encrypted on-demand content, comprising the 
steps of : 

pre-encrypting the content; 
forwarding the pre-encrypted content to a 
servers- 
providing a first tag to a user terminal, said 
first tag being associated with a second tag; 

said second tag acting as a reference to the 
pre-encrypted content and associated first tag, 
wherein said first and second tags are unique to the 
pre-encrypted content and are tracked by a pre- 
encryption controller; 

providing at least said second tag to said 
server; 

communicating the pre-encrypted content from 
said server to said user terminal via a first 
communication path; 

communicating an entitlement authorization 
associated with the pre-encrypted content to said 
user terminal via a second communication path 
independent of said first communication path; and 

determining whether said user terminal is 
authorized to access said pre-encrypted content 
based on said entitlement authorization and said 
first tag upon demand of said content by a user. 
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2. A method in accordance with claim 1, 
wherein; 

the server is a main server; 

the main server communicates the pre-encrypted 
content and first tag to the user terminal via a 
local distribution server; and 

the pre-encryption controller is in 
communication with a local distribution controller, 
which local distribution controller communicates the 
entitlement authorization to the user terminal. 

3. A method in accordance with claim 2, 
wherein: 

the first tag is an opaque data block (ODB) ; 

and 

the second tag is a unique reference handle 
(URH) . 

4. A method in accordance with claim 3, 
comprising the further step of forwarding the ODB 
and associated URH to the local distribution 
controller. 

5. A method in accordance with claim 3, wherein 
only the URH is forwarded to the main server, 
further comprising the steps of: 

communicating the ODB from the local 
distribution controller to the local distribution 
server, 

6. A method in accordance with claim 5, wherein 
the ODB is processed at the local distribution 
controller to generate a second ODB, which second 
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ODB is forwarded from the local distribution 
controller to the local distribution server. 

7. A method in accordance with claim 3, 
wherein; 

the pre-encrypted content is broadcast; 

the ODB is broadcast; and 

only a user terminal with appropriate 

entitlement authorization will be able to decrypt 

the broadcast content. 

8. A method in accordance with claim 3, 
wherein : 

the pre-encrypted content is multicast; 

the ODB is multicast; and 

only a user terminal with appropriate 

entitlement authorization will be able to decrypt 

the multicast content. 

9. A method in accordance with claim 3, 
wherein : 

the pre-encrypted content is singlecast; 

the ODB is singlecast; and 

only a user terminal with appropriate 

entitlement authorization will be able to decrypt 

the singlecast content, 

10. A method in accordance with claim 3, 
wherein the entitlement authorization comprises at 
least one of (i) an entitlement authorization for a 
service carrying the content, (ii) an entitlement 
authorization for the content itself, and (iii) an 
entitlement authorization for using ODB. 
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11. A method in accordance with claim 3, 
further comprising the steps of: 

forwarding the ODB from a server application 
via an application program interface in the user 
terminal to a kernel located in the user terminal; 

processing the ODB in conjunction with the 
received entitlement authorization such that the 
processor determines whether to decrypt the received 
pre-encrypted content ; 

receiving the pre-encrypted content; 

decrypting the pre-encrypted content when 
authorization is granted; and 

processing the decrypted content for display . 

12. A method in accordance with claim 11, 
wherein the pre-encrypted content is received by the 
secure processor via a receiver circuit. 

13. A method in accordance with claim 11, 
wherein the pre-encrypted content is received by the 
secure processor via direct memory access from 
device memory. 

14. A method in accordance with claim 3, 
wherein the ODB is coded in a manner that is not 
readily discernable by third parties. 

15. A method in accordance with claim 3, 
wherein the ODB content includes one of an 
encryption key or a hierarchy of encryption keys, 

16. A method in accordance with claim 3, 
wherein the ODB itself is encrypted. 

17. A method in accordance with claim 16, 
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wherein the ODB is encrypted using the user' s public 
key* 

18* A method in accordance with claim 3, 
wherein the user terminal is one of a set-top box, a 
digital television or a host with point-of- 
deployment capability, or a personal computer. 

19. A method in accordance with claim 3, 
wherein one of the URH and the ODB is stored as an 
attribute of the pre-encrypted content. 

20. A method in accordance with claim 3, 
wherein each of the URH and the ODB are stored as an 
attribute of the pre-encrypted content. 

21. A method in accordance with claim 3, 
wherein the pre-encrypted content is accessed via 
the Internet - 

22. An apparatus for providing access control 
for pre-encrypted on-demand content, comprising: 

an encryption device for encrypting the 
content; 

a server for receiving the pre-encrypted 
content from the encryption device; 

a pre-encryption controller for generating a 
first tag and an associated second tag, said second 
tag acting as a reference to the pre-encrypted 
content and associated first tag, wherein said first 
tag and second tag are unique to the pre-encrypted 
content and are tracked by the pre-encryption 
controller; 

a user terminal for receiving entitlement 
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authorization associated with the pre-encrypted 
content ; 

said first tag being communicated to a user 
terminal and said second tag being communicated to 
the server; 

wherein the user terminal determines whether it 
is authorized to access said pre-encrypted content 
based on said entitlement authorization and said 
first tag upon demand of said content by a user. 

23. An apparatus in accordance with claim 22/ 
wherein; 

the server is a main server; 

the main server communicates the pre-encrypted 
content and first tag to the user terminal via a 
local distribution server; and 

the pre-encryption controller is in 
communication with a local distribution controller^ 
which local distribution controller communicates the 
entitlement authorization to the user terminal. 

24. An apparatus in accordance with claim 23, 
wherein : 

the first tag is an opaque data block (ODB) ; 

and 

the second tag is a unique reference handle 
(URH) . 

25. An apparatus in accordance with claim 24, 
wherein the local distribution controller receives 
the ODB and associated URH from the pre-encryption 
controller. 
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26. An apparatus in accordance with claim 24, 
wherein : 

the main server receives only the URH from the 
pre-encryption controller; and 

the local distribution controller communicates 
the ODB to the local distribution server. 

27. An apparatus in accordance with claim 26, 
wherein the ODB is processed at the local 
distribution controller to generate a second ODB, 
which second ODB is forwarded from the local 
distribution controller to the local distribution 
server . 

28. An apparatus in accordance with claim 24, 
wherein; 

the pre-encrypted content is broadcast; 

the ODB is broadcast; and 

only a user terminal with appropriate 

entitlement authorization will be able to decrypt 

the broadcast content. 

29. An apparatus in accordance with claim 24, 
wherein: 

the pre-encrypted content is multicast; 

the ODB is multicast; and 

only a user terminal with appropriate 

entitlement authorization will be able to decrypt 

the multicast content. 

30. An apparatus in accordance with claim 24, 
wherein : 

the pre-encrypted content is singlecast; 
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the ODB is singlecast; and 

only a user terminal with appropriate 

entitlement authorization will be able to decrypt 

the singlecast content. 

31. An apparatus in accordance with claim 24, 
wherein the entitlement authorization comprises at 
least one of (i) an entitlement authorization for a 
service carrying the content, (ii) an entitlement 
authorization for the content itself, and (iii) an 
entitlement authorization for using ODB. 

32. An apparatus in accordance with claim 24, 
wherein the user terminal comprises: 

a client application using a program interface 
for forwarding the ODB from the local distribution 
server to a kernel 

said kernel receiving the ODB the application 
program interface and the entitlement authorization 
from the local distribution controller; and 

a secure processor for receiving the ODB and 
entitlement authorization from the kernel and 
receiving the pre-encrypted content from the local 
distribution server, wherein the processor processes 
the ODB in conjunction with entitlement 
authorization such that the processor determines 
whether to decrypt the received pre-encrypted 
content . 

33. An apparatus in accordance with claim 32, 
wherein the secure processor receives the pre- 
encrypted content via a receiver circuit. 
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34. An apparatus in accordance with claim 32, 
wherein the secure processor receives the pre- 
encrypted content via direct memory access from 
device memory. 

35. An apparatus in accordance with claim 24, 
wherein the ODB is coded in a manner that is not 
readily discernable by third parties. 

36. An apparatus in accordance with claim 24, 
wherein the ODB content includes one of an 
encryption key or a hierarchy of encryption keys. 

37. An apparatus in accordance with claim 24, 
wherein the ODB itself is encrypted. 

38- An apparatus in accordance with claim 37, 
wherein the ODB is encrypted using the user's public 
key. 

39. An apparatus in accordance with claim 24, 
wherein the user terminal is one of a set-top box, a 
digital television or a host with point-of- 
deployment capability, or a personal computer. 

40. An apparatus in accordance with claim 24, 
wherein one of the URH and the ODB is stored as an 
attribute of the pre-encrypted content. 

41. An apparatus in accordance with claim 24, 
wherein each of the URH and the ODB are stored as an 
attribute of the pre-encrypted content. 

42. An apparatus in accordance with claim 24, 
wherein the pre-encrypted content is accessed via 
the Internet . 
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